The most contentious aspect of SOX is Section 404 (SOX 404), which requires management and external auditors to report on the adequacy of the company's Internal Control over Financial Reporting (ICOFR). This is noted by companies as the most costly aspect of the legislation to implement since documenting and testing important financial manual and automated controls requires enormous effort (Chan et al. 2005). However, the validation and correctness of the internal control has remained an issue to management units and accountants since their key responsibilities revolve around fulfilling implementation and auditing of internal control. While many firms have resorted to computerization of their operations, auditing remains a manual task for some organizations. Similarly, firms that have adopted computer auditing techniques have not yet fully attained effectiveness and efficiency. As such, the need for a useful computer auditing system becomes critical because manual audits cannot immediately recognize significant discrepancies unlike in computers. It is in this light wherein a simple, continuous, timely, and analytical computer-support auditing system and the SOX compliance becomes necessary for auditing personnel (Goldsmith 1999, Information System Audit and Control Association (ISACA) 2003, Huang and Chuang 2005, Yen et al. 2006). When the Enterprise Resource Planning (ERP) system was introduced, firms begun to handle information more precisely and accurately, and thus changed and improved the quality of accounting and financial processes. Manual operation in firms has been gradually phased out by the computer system. One factor may be that under manual practice, data are distributed to various files and books, which make internal control difficult and complicated. In response to this, Yen et al. (2006) and Coppers and Lybran (2002) pointed out that auditing personnel must properly deal with the change caused by the ERP system. Although many auditing software generated by the ERP system is considered reliable, auditing personnel find difficulty in using the system because of their insufficient knowledge concerning information technology. Apart from the lack of knowledge and unfamiliarity with the software, the ERP systems themself are complex enough for their application (Tsai and Feng 2004, Lanza 2005). Most firms deal with business processes through semi-manual methods, like the use of Microsoft Excel (Huang and Chuang 2005). Therefore, an easy-to-use computer auditing system developed exclusively for a certain ERP system is deemed expected and needed. It is on this concern that this research was anchored. Specifically, this research aims to achieve the following purposes:
(1) to explore the crucial control items of the purchasing and expenditure cycle in meeting the conditions of SOX 404;
(2) to develop a computer auditing system based on the recognized control items and requirements of SOX 404; and (3) to validate the applicability of the system using an ISO/IEC 9126 model in meeting organizational needs.